Discussion:
DNSSEC Errors on geo.freebsd.org
patrick.prugger--- via freebsd-pkg
2021-05-01 21:08:29 UTC
Permalink
Hello everyone!

I just turned on DNSSEC validation on my DNS and it came to my eye that pkg
now doesn't work anymore.
Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de
repository catalogue.

Unfortunately it seems freebsd.org is signed with DNSSEC, but
geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of trust.
For a diagram look here:
https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/

Does anyone here have a contact to the maintainers of the freebsd.org DNS
zone?

Best regards
Patrick Prugger
Rainer Duffner
2021-05-01 23:05:38 UTC
Permalink
Post by patrick.prugger--- via freebsd-pkg
Hello everyone!
I just turned on DNSSEC validation on my DNS and it came to my eye that pkg
now doesn't work anymore.
Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de
repository catalogue.
Unfortunately it seems freebsd.org is signed with DNSSEC, but
geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of trust.
https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/
Does anyone here have a contact to the maintainers of the freebsd.org DNS
zone?
https://www.freebsd.org/administration/#t-dnsadm
Ryan Steinmetz
2021-05-01 23:23:11 UTC
Permalink
Post by Rainer Duffner
Post by patrick.prugger--- via freebsd-pkg
Hello everyone!
I just turned on DNSSEC validation on my DNS and it came to my eye that pkg
now doesn't work anymore.
Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de
repository catalogue.
Unfortunately it seems freebsd.org is signed with DNSSEC, but
geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of trust.
https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/
There's no error here and this host does indeed work fine with a
validating recursive resolver.

geo.freebsd.org is delegated to a separate set of nameservers which
handle geo-based replies. DNSSEC is intentionally not present on the
zone as the software that responds with dynamic replies and does not
currently support signing those.

You should investigate your setup a bit more.

-r
Post by Rainer Duffner
Post by patrick.prugger--- via freebsd-pkg
Does anyone here have a contact to the maintainers of the freebsd.org DNS
zone?
https://www.freebsd.org/administration/#t-dnsadm
--
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
patrick.prugger--- via freebsd-pkg
2021-05-02 18:54:56 UTC
Permalink
Hello everyone!

After hours of debugging I found out it actually seems to be a bug in the
TLS interface of unbound 1.9.0.2
I just patched to unbound 1.13.1 from buster-backports and now it works.

Thanks for your help!

Best regards
Patrick Prugger

-----Ursprüngliche Nachricht-----
Von: Ryan Steinmetz <***@freebsd.org>
Gesendet: Sonntag, 2. Mai 2021 01:23
An: Rainer Duffner <***@ultra-secure.de>
Cc: ***@uname.at; freebsd-***@freebsd.org; ***@freebsd.org
Betreff: Re: DNSSEC Errors on geo.freebsd.org
Post by Rainer Duffner
Post by patrick.prugger--- via freebsd-pkg
Hello everyone!
I just turned on DNSSEC validation on my DNS and it came to my eye
that pkg now doesn't work anymore.
Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de
repository catalogue.
Unfortunately it seems freebsd.org is signed with DNSSEC, but
geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of trust.
https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/
There's no error here and this host does indeed work fine with a validating
recursive resolver.

geo.freebsd.org is delegated to a separate set of nameservers which handle
geo-based replies. DNSSEC is intentionally not present on the zone as the
software that responds with dynamic replies and does not currently support
signing those.

You should investigate your setup a bit more.

-r
Post by Rainer Duffner
Post by patrick.prugger--- via freebsd-pkg
Does anyone here have a contact to the maintainers of the freebsd.org
DNS zone?
https://www.freebsd.org/administration/#t-dnsadm
--
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7

Loading...